Simon McVittie
Simon McVittie
> freezez when started with palatalisation I assume you mean "freezes when started with parallelization". It works for me, but I don't have a machine with 48 CPU cores.
> bwrap: Can't mount proc on /newroot/proc: Operation not permitted What environment are you running this in? Is it in a container, or a restrictive seccomp profile, or a chroot,...
If capabilities involved in creating containers have been removed from the bounding set, then yes, you can expect bubblewrap to fail some of its tests: it's a container tool. The...
This is an instance of a more general issue, that nesting containers (container inside container) doesn't always work. What distribution are you using, inside and outside the podman container? What...
The difference appears to be that without `--user 1000:1000`, podman gives you inheritable and ambient capabilities. `bwrap` has to be a bit paranoid about being invoked with unexpected capabilities, because...
> Could you make bwrap just issue a warning, but continue running? Not really, because, as I said earlier: > bwrap has to be a bit paranoid about being invoked...
This is on my list, but my list is not short.
In Debian, user namespaces are still not available *to unprivileged users*. They are available, but you have to be root. For Debian, that's because of this patch, which originated in...
I don't know what CentOS does: they might have unrestricted user namespaces (like Fedora, Ubuntu, and Arch Linux's normal kernel), or they might have user namespaces that can only be...
> As far as I can tell CentOS is unrestricted, could do a clone with CLONE_NEWUSER unprivileged. Was it CentOS 8 that you were testing this in? I don't use...